Feeds

Industrial security - it's not the same as IT security

Niche market potential

Top 5 reasons to deploy VMware with Tegile

In the past, equipment control for manufacturing processes on the shop floor tended to be carried out by discrete systems running arcane real time operating systems controlled by proprietary management systems that had no connection through to other systems.

In essence, this meant that the systems were secure, being "air locked" from everything else around them. The sensors fed information to a low-intelligence control unit that would send simple control sequences to actuators on the equipment. Sensor A shows that the temperature is too high here, actuator B opens up a little to let more coolant through, and so on.

If sensors sensed that something was way out of line, the controller just shut everything down for that piece of equipment. Problems only happened when there was a controller, sensor or actuator failure, and an engineer would be called in to physically replace the controller itself.

However, the drive for "IP everywhere" has started to bring such controls into the standard IT environment, and has introduced a new set of issues for the production line management, as well as the IT department.

For a start, many of these systems will have been in place for many years, and on the tried and tested principle of "if it isn't broken, don't fix it", the production line manager will not take kindly to anyone coming in and trying to replace any controllers, sensors and actuators, nor to "upgrade" them with additional pieces of technology to make them more amenable to being included in the overall IT environment.

Furthering the same principle, many of these controllers will not have had their internal software or firmware updated for years, leading to many different versions of systems being in place. However, as new equipment comes in, the pressure builds to include older equipment into the new systems, ensuring that the end-to-end process can be fully controlled - and that any failure along the line can be better managed by throttling back the whole production line moving part of the process to another machine, or whatever.

Once the systems have been brought in to an IP environment, however, the main issue that raises its head is security. Whereas the old air locked systems were inherently secure, requiring someone on-site with in-depth knowledge of the existing proprietary system to have any idea as to how to control it, the new systems can be accessed through standard tools over IP from anywhere in the world - if security is not applied in the correct manner.

At the basic level, this seems to be the same requirements as for a standard IT network - there is the need to stop outsiders from breaking in to the environment and gaining control, to stop disgruntled people on site from sabotaging the process, and to safeguard against accidental damage by workers.

But the shop floor tends not to be the same as other parts of the IT empire. We're not looking at highly standardised operating systems, at SNMP (simple networking management protocol) events that can be easily captured, at highly manageable end points that can be accessed directly through existing systems management tools.

Also, where we have a problem in the general IT infrastructure and we call in an engineer who will need to be able to trace through the infrastructure to identify root cause, on the production line, we will generally know what the root cause is, and any engineer coming in will be pointed to a specific piece of equipment with the instruction to fix it - yet our new environments will enable any problems that this engineer may introduce into the system to have knock on effects all the way through the entire process.

Therefore, a different approach to industrial security is required. We have to have a solution that is as unobtrusive as possible, that integrates directly into existing control systems that understands the levels of granularity that are required to provide the security that we need, and yet can enable the IT department to see the overall environment as part of the main IT infrastructure.

One such company that does this is Innominate, a German company that provides "embedded" security solutions aimed fairly and squarely at the industrial sector. Its mGuard solution provides a non-intrusive solution that not only gives on-site security against malicious and accidental problems, but also gives full virtual private network (VPN) access that ties in directly with the rest of the security solution so that external engineers can access equipment remotely - so providing faster response and cheaper fixes for problems where on-site presence is not required.

Other areas covered by Innominate include operating system agnostic anti-virus, and high availability redundant firewalls with fail over to maintain up time for remote access.

There are others in the market - Siemens and IBM both provide solutions via their professional services groups, and are increasingly building IP and security directly into industrial solutions.

Innominate is focused purely on this market - and seems to really understand what it is doing. However, it is a small company, and must manage its growth carefully. Its target market is large on a worldwide basis, and there are few players. This points towards the possibility of high growth - but this could also stretch the company's capabilities if not handled correctly. Innominate could also rapidly become a takeover target and this would also need careful handling to ensure that existing customers are fully supported while prospects are made to feel that the future is secure. Such a takeover could, paradoxically, provide the long-term stability for customers that may not be so apparent within a smaller company.

Overall, Quocirca believes that industrial security has to be dealt with - and that the growth of new equipment that has IP built directly into it means that it is becoming harder to disregard existing systems. As soon as a company looks at connecting two pieces of equipment together in a control sense, then security will have to be considered.

Copyright © 2007, Quocirca

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.